Intelligence-Driven Computer Network Defense Informed By .
Intelligence-Driven Computer Network DefenseInformed by Analysis of Adversary Campaigns andIntrusion Kill ChainsEric M. Hutchins , Michael J. Cloppert†, Rohan M. Amin, Ph.D.‡Lockheed Martin CorporationAbstractConventional network defense tools such as intrusion detection systems and anti-virus focus onthe vulnerability component of risk, and traditional incident response methodology presupposes asuccessful intrusion. An evolution in the goals and sophistication of computer network intrusionshas rendered these approaches insufficient for certain actors. A new class of threats, appropriatelydubbed the “Advanced Persistent Threat” (APT), represents well-resourced and trained adversariesthat conduct multi-year intrusion campaigns targeting highly sensitive economic, proprietary, ornational security information. These adversaries accomplish their goals using advanced tools andtechniques designed to defeat most conventional computer network defense mechanisms. Networkdefense techniques which leverage knowledge about these adversaries can create an intelligencefeedback loop, enabling defenders to establish a state of information superiority which decreases theadversary’s likelihood of success with each subsequent intrusion attempt. Using a kill chain model todescribe phases of intrusions, mapping adversary kill chain indicators to defender courses of action,identifying patterns that link individual intrusions into broader campaigns, and understanding theiterative nature of intelligence gathering form the basis of intelligence-driven computer network defense(CND). Institutionalization of this approach reduces the likelihood of adversary success, informsnetwork defense investment and resource prioritization, and yields relevant metrics of performanceand effectiveness. The evolution of advanced persistent threats necessitates an intelligence-basedmodel because in this model the defenders mitigate not just vulnerability, but the threat componentof risk, too.Keywords: incident response, intrusion detection, intelligence, threat, APT, computer network defense1IntroductionAs long as global computer networks have existed, so have malicious users intent on exploiting vulnerabilities. Early evolutions of threats to computer networks involved self-propagating code. Advancementsover time in anti-virus technology significantly reduced this automated risk. More recently, a new classof threats, intent on the compromise of data for economic or military advancement, emerged as thelargest element of risk facing some industries. This class of threat has been given the moniker “AdvancedPersistent Threat,” or APT. To date, most organizations have relied on the technologies and processesimplemented to mitigate risks associated with automated viruses and worms which do not sufficientlyaddress focused, manually operated APT intrusions. Conventional incident response methods fail tomitigate the risk posed by APTs because they make two flawed assumptions: response should happenafter the point of compromise, and the compromise was the result of a fixable flaw (Mitropoulos et al.,2006; National Institute of Standards and Technology, 2008).APTs have recently been observed and characterized by both industry and the U.S. government. In Juneand July 2005, the U.K. National Infrastructure Security Co-ordination Centre (UK-NISCC) and the U.S. eric.m.hutchins@lmco.com† michael.j.cloppert@lmco.com‡ rohan.m.amin@lmco.com1
Computer Emergency Response Team (US-CERT) issued technical alert bulletins describing targeted,socially-engineered emails dropping trojans to exfiltrate sensitive information. These intrusions wereover a significant period of time, evaded conventional firewall and anti-virus capabilities, and enabledadversaries to harvest sensitive information (UK-NISCC, 2005; US-CERT, 2005). Epstein and Elgin(2008) of Business Week described numerous intrusions into NASA and other government networkswhere APT actors were undetected and successful in removing sensitive high-performance rocket designinformation. In February 2010, iSec Partners noted that current approaches such as anti-virus andpatching are not sufficient, end users are directly targeted, and threat actors are after sensitive intellectualproperty (Stamos, 2010).Before the U.S. House Armed Services Committee Subcommittee on Terrorism, Unconventional Threatsand Capabilities, James Andrew Lewis of the Center for Strategic and International Studies testifiedthat intrusions occurred at various government agencies in 2007, including the Department of Defense,State Department and Commerce Department, with the intention of information collection (Lewis, 2008).With specificity about the nature of computer network operations reportedly emanating from China,the 2008 and 2009 reports to Congress of the U.S.-China Economic and Security Review Commissionsummarized reporting of targeted intrusions against U.S. military, government and contractor systems.Again, adversaries were motivated by a desire to collect sensitive information (U.S.-China Economicand Security Review Commission, 2008, 2009). Finally, a report prepared for the U.S.-China Economicand Security Review Commission, Krekel (2009) profiles an advanced intrusion with extensive detaildemonstrating the patience and calculated nature of APT.Advances in infrastructure management tools have enabled best practices of enterprise-wide patchingand hardening, reducing the most easily accessible vulnerabilities in networked services. Yet APT actorscontinually demonstrate the capability to compromise systems by using advanced tools, customizedmalware, and “zero-day” exploits that anti-virus and patching cannot detect or mitigate. Responses toAPT intrusions require an evolution in analysis, process, and technology; it is possible to anticipate andmitigate future intrusions based on knowledge of the threat. This paper describes an intelligence-driven,threat-focused approach to study intrusions from the adversaries’ perspective. Each discrete phase of theintrusion is mapped to courses of action for detection, mitigation and response. The phrase “kill chain”describes the structure of the intrusion, and the corresponding model guides analysis to inform actionablesecurity intelligence. Through this model, defenders can develop resilient mitigations against intrudersand intelligently prioritize investments in new technology or processes. Kill chain analysis illustrates thatthe adversary must progress successfully through each stage of the chain before it can achieve its desiredobjective; just one mitigation disrupts the chain and the adversary. Through intelligence-driven response,the defender can achieve an advantage over the aggressor for APT caliber adversaries.This paper is organized as follows: section two of this paper documents related work on phase basedmodels of defense and countermeasure strategy. Section three introduces an intelligence-driven computernetwork defense model (CND) that incorporates threat-specific intrusion analysis and defensive mitigations.Section four presents an application of this new model to a real case study, and section five summarizesthe paper and presents some thoughts on future study.2Related WorkWhile the modeling of APTs and corresponding response using kill chains is unique, other phase basedmodels to defensive and countermeasure strategies exist.A United States Department of Defense Joint Staff publication describes a kill chain with stages find,fix, track, target, engage, and assess (U.S. Department of Defense, 2007). The United States Air Force(USAF) has used this framework to identify gaps in Intelligence, Surveillance and Reconnaissance (ISR)capability and to prioritize the development of needed systems (Tirpak, 2000). Threat chains havealso been used to model Improvised Explosive Device (IED) attacks (National Research Council, 2007).The IED delivery chain models everything from adversary funding to attack execution. Coordinatedintelligence and defensive efforts focused on each stage of the IED threat chain as the ideal way to counterthese attacks. This approach also provides a model for identification of basic research needs by mappingexisting capability to the chain. Phase based models have also been used for antiterrorism planning. TheUnited States Army describes the terrorist operational planning cycle as a seven step process that servesas a baseline to assess the intent and capability of terrorist organizations (United States Army Training2
and Doctrine Command, 2007). Hayes (2008) applies this model to the antiterrorism planning process formilitary installations and identifies principles to help commanders determine the best ways to protectthemselves.Outside of military context, phase based models have also been used in the information security field.Sakuraba et al. (2008) describe the Attack-Based Sequential Analysis of Countermeasures (ABSAC)framework that aligns types of countermeasures along the time phase of an attack. The ABSAC approachincludes more reactive post-compromise countermeasures than early detection capability to uncoverpersistent adversary campaigns. In an application of phase based models to insider threats, Duranet al. (2009) describe a tiered detection and countermeasure strategy based on the progress of maliciousinsiders. Willison and Siponen (2009) also address insider threat by adapting a phase based model calledSituational Crime Prevention (SCP). SCP models crime from the offender’s perspective and then mapscontrols to various phases of the crime. Finally, the security company Mandiant proposes an “exploitationlife cycle”. The Mandiant model, however, does not map courses of defensive action and is based onpost-compromise actions (Mandiant, 2010). Moving detections and mitigations to earlier phases of theintrusion kill chain is essential for CND against APT actors.3Intelligence-driven Computer Network DefenseIntelligence-driven computer network defense is a risk management strategy that addresses the threatcomponent of risk, incorporating analysis of adversaries, their capabilities, objectives, doctrine andlimitations. This is necessarily a continuous process, leveraging indicators to discover new activity withyet more indicators to leverage. It requires a new understanding of the intrusions themselves, not assingular events, but rather as phased progressions. This paper presents a new intrusion kill chain modelto analyze intrusions and drive defensive courses of action.The effect of intelligence-driven CND is a more resilient security posture. APT actors, by their nature,attempt intrusion after intrusion, adjusting their operations based on the success or failure of eachattempt. In a kill chain model, just one mitigation breaks the chain and thwarts the adversary, thereforeany repetition by the adversary is a liability that defenders must recognize and leverage. If defendersimplement countermeasures faster than adversaries evolve, it raises the costs an adversary must expendto achieve their objectives. This model shows, contrary to conventional wisdom, such aggressors have noinherent advantage over defenders.3.1Indicators and the Indicator Life CycleThe fundamental element of intelligence in this model is the indicator. For the purposes of this paper, anindicator is any piece of information that objectively describes an intrusion. Indicators can be subdividedinto three types: Atomic - Atomic indicators are those which cannot be broken down into smaller parts and retaintheir meaning in the context of an intrusion. Typical examples here are IP addresses, email addresses,and vulnerability identifiers. Computed - Computed indicators are those which are derived from data involved in an incident.Common computed indicators include hash values and regular expressions. Behavioral - Behavioral indicators are collections of computed and atomic indicators, often subjectto qualification by quantity and possibly combinatorial logic. An example would be a statementsuch as ”the intruder would initially used a backdoor which generated network traffic matching[regular expression] at the rate of [some frequency] to [some IP address], and then replace it withone matching the MD5 hash [value] once access was established.”Using the concepts in this paper, analysts will reveal indicators through analysis or collaboration, maturethese indicators by leveraging them in their tools, and then utilize them when matching activity isdiscovered. This activity, when investigated, will often lead to additional indicators that will be subjectto the same set of actions and states. This cycle of actions, and the corresponding indicator states, formthe indicator life cycle illustrated in Figure 1. This applies to all indicators indiscriminately, regardless oftheir accuracy or applicability. Tracking the derivation of a given indicator from its predecessors can be3
time-consuming and problematic if sufficient tracking isn’t in place, thus it is imperative that indicatorssubject to these processes are valid and applicable to the problem set in question. If attention is not paidto this point, analysts may find themselves applying these techniques to threat actors for which theywere not designed, or to benign activity scoverMatureFigure 1: Indicator life cycle states and transitions3.2Intrusion Kill ChainA kill chain is a systematic process to target and engage an adversary to create desired effects. U.S.military targeting doctrine defines the steps of this process as find, fix, track, target, engage, assess(F2T2EA): find adversary targets suitable for engagement; fix their location; track and observe; targetwith suitable weapon or asset to create desired effects; engage adversary; assess effects (U.S. Departmentof Defense, 2007). This is an integrated, end-to-end process described as a “chain” because any onedeficiency will interrupt the entire process.Expanding on this concept, this paper presents a new kill chain model, one specifically for intrusions.The essence of an intrusion is that the aggressor must develop a payload to breach a trusted boundary,establish a presence inside a trusted environment, and from that presence, take actions towards theirobjectives, be they moving laterally inside the environment or violating the confidentiality, integrity,or availability of a system in the environment. The intrusion kill chain is defined as reconnaissance,weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives.With respect to computer network attack (CNA) or computer network espionage (CNE), the definitionsfor these kill chain phases are as follows:1. Reconnaissance - Research, identification and selection of targets, often represented as crawlingInternet websites such as conference proceedings and mailing lists for email addresses, socialrelationships, or information on specific technologies.2. Weaponization - Coupling a remote access trojan with an exploit into a deliverable payload,typically by means of an automated tool (weaponizer). Increasingly, client application data files suchas Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the weaponizeddeliverable.3. Delivery - Transmission of the weapon to the targeted environment. The three most prevalentdelivery vectors for weaponized payloads by APT actors, as observed by the Lockheed MartinComputer Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments,websites, and USB removable media.4. Exploitation - After the weapon is delivered to victim host, exploitation triggers intruders’ code.Most often, exploitation targets an application or operating system vulnerability, but it could alsomore simply exploit the users themselves or leverage an operating system feature that auto-executescode.4
5. Installation - Installation of a remote access trojan or backdoor on the victim system allows theadversary to maintain persistence inside the environment.6. Command and Control (C2) - Typically, compromised hosts must beacon outbound to anInternet controller server to establish a C2 channel. APT malware especially requires manualinteraction rather than conduct activity automatically. Once the C2 channel establishes, intrudershave “hands on the keyboard” access inside the target environment.7. Actions on Objectives - Only now, after progressing through the first six phases, can intruderstake actions to achieve their original objectives. Typically, this objective is data exfiltration whichinvolves collecting, encrypting and extracting information from the victim environment; violationsof data integrity or availability are potential objectives as well. Alternatively, the intruders mayonly desire access to the initial victim box for use as a hop point to compromise additional systemsand move laterally inside the network.3.3Courses of ActionThe intrusion kill chain becomes a model for actionable intelligence when defenders align enterprisedefensive capabilities to the specific processes an adversary undertakes to target that enterprise. Defenderscan measure the performance as well as the effectiveness of these actions, and plan investment roadmapsto rectify any capability gaps. Fundamentally, this approach is the essence of intelligence-driven CND:basing security decisions and measurements on a keen understanding of the adversary.Table 1 depicts a course of action matrix using the actions of detect, deny, disrupt, degrade, deceive, anddestroy from DoD information operations (IO) doctrine (U.S. Department of Defense, 2006). This matrixdepicts in the exploitation phase, for example, that host intrusion detection systems (HIDS) can passivelydetect exploits, patching denies exploitation altogether, and data execution prevention (DEP) can disruptthe exploit once it initiates. Illustrating the spectrum of capabilities defenders can employ, the matrixincludes traditional systems like network intrusion detection systems (NIDS) and firewall access controllists (ACL), system hardening best practices like audit logging, but also vigilant users themselves whocan detect suspicious activity.Table 1: Courses of Action yVigilant userProxy filterIn-line ��chroot” jailAVC2NIDSFirewallACLNIPSActions onObjectivesAudit logDeceiveTarpitDNSredirectQuality ofServiceHoneypotDestroyHere, completeness equates to resiliency, which is the defender’s primary goal when faced with persistentadversaries that continually adapt their operations over time. The most notable adaptations are exploits,particularly previously undisclosed “zero-day” exploits. Security vendors call these “zero-day attacks,”and tout “zero day protection”. This myopic focus fails to appreciate that the exploit is but one changein a broader process. If intruders deploy a zero-day exploit but reuse observable tools or infrastructure5
in other phases, that major improvement is fruitless if the defenders have mitigations for the repeatedindicators. This repetition demonstrates a defensive strategy of complete indicator utilization achievesresiliency and forces the adversary to make more difficult and comprehensive adjustments to achieve theirobjectives. In this way, the defender increases the adversary’s cost of executing successful intrusions.Defenders can generate metrics of this resiliency by measuring the performance and effectiveness ofdefensive actions against the intruders. Consider an example series of intrusion attempts from a singleAPT campaign that occur over a seven month timeframe, shown in Figure 2. For each phase of thekill chain, a white diamond indicates relevant, but passive, detections were in place at the time of thatmonth’s intrusion attempt, a black diamond indicates relevant mitigations were in place, and an emp
intrusion kill chain is essential for CND against APT actors. 3 Intelligence-driven Computer Network Defense Intelligence-driven computer network defense is a risk management strategy that addresses the threat component of risk, incorporating analysis of adversaries, their capabilities, objectives, doctrine and .
Defense Advanced Research Projects Agency. Defense Commissary Agency. Defense Contract Audit Agency. Defense Contract Management Agency * Defense Finance and Accounting Service. Defense Health Agency * Defense Information Systems Agency * Defense Intelligence Agency * Defense Legal Services Agency. Defense Logistics Agency * Defense POW/MIA .
Certified Network Defense (CND) Outline . Module 01: Computer Network and Defense Fundamentals Network Fundamentals Computer Network Types of Network Major Network Topologies Network Components Network Interface Card
Research, Development, Test and Evaluation, Defense-Wide Defense Advanced Research Projects Agency Volume 1 Missile Defense Agency Volume 2 . Defense Contract Management Agency Volume 5 Defense Threat Reduction Agency Volume 5 The Joint Staff Volume 5 Defense Information Systems Agency Volume 5 Defense Technical Information Center Volume 5 .
French Defense - Minor Variations French Defense - Advance Variation French Defense - Tarrasch Variation: 3.Nd2 French Defense - Various 3.Nc3 Variations French Defense - Winawer Variation: 3.Nc3 Bb4 Caro-Kann Defense - Main Lines: 3.Nc3 dxe4 4.Nxe4 Caro-Kann Defense - Panov Attack
DEPARTMENT OF DEFENSE Defense Acquisition Regulations System 48 CFR Parts 204, 212, 213, and 252 [Docket DARS-2019-0063] RIN 0750-AJ84 Defense Federal Acquisition Regulation Supplement: Covered Defense Telecommunications Equipment or Services (DFARS Case 2018-D022) AGENCY: Defense Acquisition Regulati
30:18 Defense — Fraud in the Inducement 30:19 Defense — Undue Influence 30:20 Defense — Duress 30:21 Defense — Minority 30:22 Defense — Mental Incapacity 30:23 Defense — Impossibility of Performance 30:24 Defense — Inducing a Breach by Words or Conduct
sia-Pacific Defense Outlook: Key Numbers4 A 6 Defense Investments: The Economic Context 6 Strategic Profiles: Investors, Balancers and Economizers . Asia-Pacific Defense Outlook 2016 Asia-Pacific Defense Outlook 2016. 3. Asia-Pacific Defense Outlook: . two-thirds of the region's economic product and nearly 75 percent of the 2015 regional .
The Orange County Archives will also be open from 10 am to 3 pm. The Archives are located in the basement of the Old County Courthouse in Santa Ana. For more information, please visit us at: OCRecorder.com Clerk-Recorder Hugh Nguyen and our North County team during the department's last Saturday Opening in Anaheim. During the month of April: Congratulations to Hapa Cupcakes on their ribbon .
